Pre-Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65pass65

AWS-Security-Specialty AWS Certified Security Specialty (SCS-C03) is now Stable and With Pass Result | Test Your Knowledge for Free

  1. Home
  2. Amazon
  3. AWS Certified Security Specialty
  4. AWS-Security-Specialty
  5. AWS Certified Security Specialty (SCS-C03)
Exams4sure Dumps

AWS-Security-Specialty Practice Questions

AWS Certified Security Specialty (SCS-C03)

Last Update 3 days ago
Total Questions : 179

Dive into our fully updated and stable AWS-Security-Specialty practice test platform, featuring all the latest AWS Certified Security Specialty exam questions added this week. Our preparation tool is more than just a Amazon study aid; it's a strategic advantage.

Our free AWS Certified Security Specialty practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about AWS-Security-Specialty. Use this test to pinpoint which areas you need to focus your study on.

AWS-Security-Specialty PDF

AWS-Security-Specialty PDF (Printable)
$52.5
$150
 Add to Cart

AWS-Security-Specialty Testing Engine

AWS-Security-Specialty PDF (Printable)
$70
$200
 Add to Cart

AWS-Security-Specialty PDF + Testing Engine

AWS-Security-Specialty PDF (Printable)
$104.65
$299
 Add to Cart
Question # 1

A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics. Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client ' s privilege scope.

Which combination of actions should the company take to prevent this threat? (Select TWO.)

Options:

A.  

In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.

B.  

In the application, add a client ID check. Disconnect from the server if any special character is detected.

C.  

Apply an AWS IoT Core policy that allows " AWSIoTWirelessDataAccess " with the principal set to " client/${iot:Connection.Thing.ThingName} " .

D.  

Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client/${iot:ClientId} " .

E.  

Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client/${iot:Connection.Thing.ThingName} " .

Discussion 0
Question # 2

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services. The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

Options:

A.  

Create an AWS PrivateLink endpoint. Specify the existing ALB as the target. Update the CloudFront distribution by setting the PrivateLink endpoint as the origin.

B.  

Create a new internal AL

B.  

Move all the ECS services to the internal AL

B.  

Delete the internet-facing AL

B.  

Update the CloudFront distribution by setting the internal ALB as the origin.

C.  

Modify the listener rules for the existing AL

B.  

Add a condition to forward only the requests that come from IP addresses in the CloudFront origin prefix list.

D.  

Update the CloudFront distribution by adding an X-Shared-Secret custom header for the origin. Modify the listener rules for the existing ALB to forward only the requests in which the X-Shared-Secret header has the correct value.

Discussion 0
Question # 3

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

Options:

A.  

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.  

Create a new internal ALB and delete the internet-facing AL

B.  

C.  

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.  

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

Discussion 0
Question # 4

A company ' s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.

On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company ' s data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

Which action should a security engineer take to enforce this data retention policy?

Options:

A.  

Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

B.  

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.

C.  

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.

D.  

Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

Discussion 0
Question # 5

A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

Options:

A.  

Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.

B.  

In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.

C.  

Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

D.  

Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Discussion 0
Question # 6

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Select TWO.)

Options:

A.  

AWS Site-to-Site VPN

B.  

AWS Direct Connect

C.  

AWS VPN CloudHub

D.  

VPC peering

E.  

NAT gateway

Discussion 0
Question # 7

A corporate cloud security policy states that communications between the company ' s VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Select TWO.)

Options:

A.  

Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company ' s VPC endpoint I

D.  

B.  

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.  

Create a VPC endpoint for AWS KMS withprivate DNS enabled.

D.  

Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E.  

Add the following condition to the AWS KMS key policy: " aws:SourceIp " : " 10.0.0.0/16 " .

Discussion 0
Question # 8

A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account.

What is the MOST secure way to provide this access?

Options:

A.  

Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.

B.  

Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

C.  

Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.

D.  

Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Discussion 0
Question # 9

A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days.

Which solution will meet these requirements?

Options:

A.  

Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.

B.  

Remove IAM policies and query logs in Security Hub.

C.  

Remove permission sets and query logs using CloudWatch Logs Insights.

D.  

Disable the user in IAM Identity Center and query the organizational event data store.

Discussion 0
Question # 10

A security engineer needs to configure DDoS protection for a Network Load Balancer (NLB) with an Elastic IP address. The security engineer wants to set up an AWS WAF web ACL with a rate-based rule statement to protect the NL

B.  

The security engineer needs to determine a rate limit that will not block legitimate traffic. The security engineer has configured the rule statement to aggregate based on the source IP address.

How should the security engineer configure the rule to protect the NLB?

Options:

A.  

Configure the rule to use theCountaction.

B.  

Configure the rule to use theBlockaction.

C.  

Configure the rule to use theMonitoraction.

D.  

Configure the rule to use theAllowaction.

Discussion 0
Get AWS-Security-Specialty dumps and pass your exam in 24 hours!

Free Exams Sample Questions

Free SY0-701 Questions
Free Rev-Con-201 Questions
Free 2V0-13.25 Questions
Free ZDTE Questions
Free N10-009 Questions
Free 200-301 Questions
Free AZ-104 Questions
Free 350-401 Questions
Free 2V0-17.25 Questions
Free CMMC-CCP Questions
Free AIF-C01 Questions
Free CMMC-CCA Questions
Free AI-102 Questions
Free 312-50v13 Questions
Free ICWIM Questions
Free CKA Questions
Free SC-200 Questions
Free SC-300 Questions
Free OGEA-102 Questions
NGFW-Engineer Questions
ISA-IEC-62443 Questions
Free Agentforce Specialist Questions
Free Generative-AI-Leader Questions
Free FCSS_EFW_AD-7.6 Questions
Free Secure-Software-Design Questions
Free Data-Cloud-Consultant Questions
Free Workday-Pro-Integrations Questions
Free UAE-Financial-Rules-and-Regulations Questions
AWS-Solution-Architect-Associate Dumps
Professional-Cloud-Architect Dumps
Service-Cloud-Consultant Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
Associate-Cloud-Engineer Dumps
350-701 Dumps
ISO-IEC-27001-Lead-Implementer Dumps
Integration-Architect Dumps
CLF-C02 Dumps
JN0-105 Dumps
CDCP Dumps
CTA Dumps
NCP-MCI-6.10 Dumps
NCA-AIIO Dumps